Visualizing MITRE Tactic and Technique Coverage in Your Environment
Visualize the coverage of MITRE ATT&CK tactics and techniques that the rules provide in IBM QRadar. After you organize the rule report, you can visualize the data through diagrams and heat maps and export the data to share with others.
If you want to filter by MITRE ATT&CK tactics, you must first map your rules to MITRE tactics and techniques. For more information, see Editing MITRE Mappings in a Rule or Building Block.
- To see the levels of MITRE ATT&CK technique coverage,
complete the following steps:
Click ATT&CK Actions >Coverage map and report in the upper right of the visualization pane.
Scroll through the heat map visualization to see the different techniques that are covered by QRadar Use Case Manager. For more information, see MITRE Heat Map Calculations.
To see only the mappings for rules that are currently in the coverage map and report, set Rules in the report to On. Click any section in the heat maps and then click Apply Filters to update the filtered list in the table report.
To see which MITRE techniques are being used by adversary groups and software, select the appropriate filters from the Highlight groups and Highlight software lists. Relevant groups are highlighted in the heat map by pink sidebars, and relevant software are highlighted by purple sidebars.
To see only the techniques that are selected in the filter, hold the control key (on Windows) or the command key (on Mac) of your keyboard and select the relevant techniques on the heat map. Then set Filter map to Techniques in filter. All other filters are hidden in the heat map.
If you don't see any technique filters in the heat map, add techniques in the MITRE ATT&CK section of the filter pane or select techniques in the map.
To expand the visualization pane to the width of your screen, click the maximize icon on the menu bar of the pane. Zoom in or out to see the visualization at the size you want. Any filtering that you apply in the expanded pane is kept when you return to the Use Case Explorer.
The zoom capability is not supported on Mozilla Firefox. Use the browser control to zoom in and out.
- To see the levels of MITRE ATT&CK tactic coverage,
complete the following steps:
Click ATT&CK Actions > Coverage summary and trend in the upper right of the visualization pane. The summary and trend reports provide an overview of the different tactics that are covered by QRadar Use Case Manager. You can analyze the summary data in table, bar, and radar charts.
Edit the MITRE Coverage Summary table chart to change the planned number and percentage to see where you're lacking in coverage. For example, the current number of rules for the Privilege Escalation tactic is 8 and represents 4% coverage, but you want 35% coverage. When you edit the planned percentage, you see that you need 77 rules to provide the level of coverage you want.
After you add the rule mappings you need to improve your coverage, check the coverage report again to see whether your coverage improved.
Change the date for the chart coverage by clicking the calendar icon for On date. You can change the date as far back as three months before the current date, which is the default.
In the MITRE Coverage Trend chart, click a tactic in the legend to fine-tune the view or view the total coverage trend over time. The default time range is three months. Hover over the vertical line of each day to see the total coverage for each tactic.
To update the charts with live data from QRadar, click the refresh icon. Data is automatically refreshed every 24 hours at night.
- Close the report visualization to return to the dashboard.